Monday, July 31, 2006

SanDisk is "cruzing" for a bruisin' with their U3 Launchpad

Tonight, I was helping my mother with her Mac laptop and new "SanDisk U3 Cruzer Micro" memory stick. She purchased it to be able to "carry pictures around", mostly from her computer to the Jean Coutu so they could be printed. Simple enough.

She tells me she had had some difficulty when she last tried it, so, this being 2006 and plug-and-play no longer needs to be [air] quoted, I ask her to plug it in to see what would happen. She does and some "disk utility" thing seems to pop up. She might have clicked something that was bouncing in her dock or something (my attention was diverted for a second) but there it was. I recognized the window for what it was, and had her exit it since I also noticed a new icon on her desktop that looked like what you should expect from plug-and-play.

She double-clicks on said icon and, as expected, a window opens up with the contents of the removable device. Except there already files in there. A System folder, a Documents folder and some EXE. At first, I thought it might have been the case she picked up a used memory stick. By digging into the folders, I notice it's software that would most likely be bundled, such as Skype. I simply have her delete everything on the memory stick, except that the EXE in the root folder wasn't getting deleted because it was marked as "protected". "Weird, but not a problem", I tell her; "I'll just erase that when I try it in my laptop".

So she plays around for a bit, I show her how she can drag pictures from iPhoto into the window representing her memory stick and all goes well. I show her how she "ejects" the device before unplugging it (she remembered the scolding she got last time she didn't eject it first) and then I plug it in my laptop to make sure the pictures were indeed copied.

After plugging it in to one of the USB ports, I notice my computer taking a long time "installing" the new drivers. I thought that was odd as I frequently pop in my digital camera's SD card in the appropriate slot on the side of the computer and it works just as floppy disks did. Then I notice the set of "devices" being detected includes a "CD-ROM" (??) and this animated splash screen follows by saying that the launchpad is loading and it will appear in my system tray when it's done loading. Only it just hung there, most likely because I was running under a low-permission account; I kill the process and fire up my favorite file manager, only to notice there are TWO new devices showing up and one of them indeed looks like a CD-ROM drive.

I'm pretty sure I didn't miss a Slashdot announcement on compact disks being reduced to the size of a dime (mini-SD cards excluded) and then I realize what had happened; that EXE on the memory stick had been executed and had installed some "drivers" to be "helpful". Remembering why Sony sucks, I start to panic: what if I just got infected with some similar shit? Why weren't my permissions low enough to prevent this?? Why didn't I turn "AutoPlay" off earlier???

If you are still reading intently at this point, you are probably a fan of hyperlinked IT drama stories, and that's pretty sad. Just scan like everybody else and scroll already to the part about removing the damn thing, which has been placed just below this paragraph to ease you into this "scrolling to the interesting stuff" business.

How to remove the damn thing

Web searches for "remove driver u3 sandisk" didn't yield anything interesting except that I noticed lots and lots of people are trying to sell or review the damn things. Note to self: remember to repeat the search and click on Google's "Dissatisfied? Help us improve" link. The closest I found was this answer from the U3 support commonly asked questions:

6. I want to uninstall the U3 Launchpad from my smart drive

The U3 Launchpad is only supported on Windows XP and Windows 2000 operating systems and this restriction extends to U3 Launchpad uninstallers. A U3 Launchpad uninstaller is a software module that removes the U3 Launchpad and re-configures the drive to be a single mass storage USB drive. U3 Launchpad uninstallers are only available for and must be run on Windows XP or Windows 2000 machines. The locations for the uninstallers are provided here:
...followed by two links to the product pages that contain no actual uninstallers (surprise, surprise! - but I did find a link called Launchpad Removal) and the last one allows you to download a program that pretty much reformats your memory stick to remove all traces of the launchpad software on the memory stick.

How to remove the malicious, self-installed drivers

Errr... I'm not sure. Before I found the uninstall software, I tried uninstalling the drivers from Device Manager, but they would come back after plugging the stick in again, even though I was holding down SHIFT the whole time and had disabled AutoPlay for removable drives. Hmmm... Note to self: investigate how to enforce the "no autoplay whatsoever" group policy and file a bug report with Microsoft if that's not possible... no, if it's not super easy.. not that either; if it's not THE DEFAULT BEHAVIOUR on new installs.

The best way is probably to reformat the stick with another operating system, or one that's suitably configured to not get itself infected when plugging stuff in.

What's the problem, here?

You must work for SanDisk or be one of the programmers of U3. I would like to point you to the THE RISKS DIGEST. Read it for a while. Browse through their archives. Find the story from two or more years ago that talked about how easy it would be for malicious programs to automatically run when memory sticks are inserted into PCs and how it could be used for instamatic industrial espionage/sabotage and how this has led to organizations filling in all USB sockets with epoxy (or simply removing them from boxes) to avoid having to deal with the problem altogether.

Now that you are enlightened in the matters of responsible software engineering, go convince your superiors that you should ship BLANK MEMORY STICKS and an optional software CD instead, after releasing instructions or software for removing all traces of your drivers in my registry as well as proving to me, in some way or another, that you didn't also install a keylogger or other malicious software on my computer.

In Conclusion

I'm obviously not paranoid enough about checking my system for the presence of a rootkit infection or disassembling the software to confirm/deny my fears. Maybe someone else (with more free time than me) will come along and make a more informed determination. Oh, and I should stick to the point and stop telling long, boring IT drama stories.